net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 20.467308] refcount_t: underflow; use-after-free. [ 20.467862] ------------[ cut here ]------------ [ 20.468354] WARNING: CPU: 1 PID: 3474 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0 [ 20.469156] Kernel panic - not syncing: panic_on_warn set ... [ 20.469156] [ 20.469829] CPU: 1 PID: 3474 Comm: syzkaller454885 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 20.470602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.473052] Call Trace: [ 20.473244] dump_stack+0x194/0x257 [ 20.473491] ? arch_local_irq_restore+0x53/0x53 [ 20.473770] ? vsnprintf+0x1ed/0x1900 [ 20.473998] panic+0x1e4/0x41c [ 20.474190] ? refcount_error_report+0x214/0x214 [ 20.474480] ? show_regs_print_info+0x65/0x65 [ 20.474752] ? __warn+0x1a9/0x1e0 [ 20.474967] ? refcount_sub_and_test+0x167/0x1b0 [ 20.475400] __warn+0x1c4/0x1e0 [ 20.475706] ? refcount_sub_and_test+0x167/0x1b0 [ 20.476137] report_bug+0x211/0x2d0 [ 20.476470] fixup_bug+0x40/0x90 [ 20.476777] do_trap+0x260/0x390 [ 20.477090] do_error_trap+0x120/0x390 [ 20.477447] ? do_trap+0x390/0x390 [ 20.477770] ? refcount_sub_and_test+0x167/0x1b0 [ 20.478264] ? vprintk_emit+0x3ea/0x590 [ 20.478632] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.479080] do_invalid_op+0x1b/0x20 [ 20.479417] invalid_op+0x18/0x20 [ 20.479730] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 20.480211] RSP: 0018:ffff88003a606500 EFLAGS: 00010282 [ 20.480693] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000 [ 20.481343] RDX: 0000000000000026 RSI: 1ffff100074c0c60 RDI: ffffed00074c0c94 [ 20.481996] RBP: ffff88003a606590 R08: 0000000000000001 R09: 0000000000000000 [ 20.482652] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff100074c0ca1 [ 20.483379] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff88006c5d99fc [ 20.484054] ? refcount_inc+0x50/0x50 [ 20.484630] ? sctp_outq_free+0x15/0x20 [ 20.484867] ? sctp_do_sm+0x271b/0x6a30 [ 20.485116] ? sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 20.485420] ? sctp_close+0x3c6/0x980 [ 20.485646] ? inet_release+0xed/0x1c0 [ 20.485882] ? sock_release+0x8d/0x1e0 [ 20.486132] sctp_wfree+0x183/0x620 [ 20.486353] ? __sctp_write_space+0x910/0x910 [ 20.486651] skb_release_head_state+0x124/0x200 [ 20.486938] skb_release_all+0x15/0x60 [ 20.487194] consume_skb+0x153/0x490 [ 20.487414] ? sctp_chunk_put+0x99/0x420 [ 20.487677] ? alloc_skb_with_frags+0x750/0x750 [ 20.487956] ? sctp_chunk_hold+0x20/0x20 [ 20.488211] ? refcount_sub_and_test+0x115/0x1b0 [ 20.488493] ? refcount_inc+0x50/0x50 [ 20.488739] ? mark_held_locks+0xaf/0x100 [ 20.488986] ? sctp_datamsg_put+0x456/0x560 [ 20.489256] sctp_chunk_put+0x29c/0x420 [ 20.489493] ? sctp_chunk_hold+0x20/0x20 [ 20.489760] ? sctp_transport_dst_confirm+0x50/0x50 [ 20.490072] ? sctp_sched_fcfs_dequeue+0x198/0x290 [ 20.490364] ? sctp_sched_dequeue_common+0x5d0/0x5d0 [ 20.490666] ? print_irqtrace_events+0x270/0x270 [ 20.491046] ? print_irqtrace_events+0x270/0x270 [ 20.491477] sctp_chunk_free+0x53/0x60 [ 20.491910] __sctp_outq_teardown+0xa5b/0x1230 [ 20.492440] ? sctp_inq_set_th_handler+0x1b0/0x1b0 [ 20.492887] ? print_irqtrace_events+0x270/0x270 [ 20.493319] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.493790] ? ptlock_free+0x38/0x42 [ 20.494129] ? check_noncircular+0x20/0x20 [ 20.494515] ? __lock_acquire+0x6aa/0x3d50 [ 20.494903] ? print_irqtrace_events+0x270/0x270 [ 20.495335] ? check_noncircular+0x20/0x20 [ 20.495715] ? print_irqtrace_events+0x270/0x270 [ 20.496142] ? __lock_acquire+0x6aa/0x3d50 [ 20.496531] ? lock_acquire+0x1d5/0x580 [ 20.496890] ? lock_acquire+0x1d5/0x580 [ 20.497251] ? lock_timer_base+0x1a3/0x2b0 [ 20.497637] ? find_held_lock+0x35/0x1d0 [ 20.498014] ? sock_def_wakeup+0x1f9/0x350 [ 20.498397] ? lock_downgrade+0x990/0x990 [ 20.498773] ? lock_release+0xa40/0xa40 [ 20.499143] sctp_outq_free+0x15/0x20 [ 20.499491] sctp_association_free+0x2d0/0x930 [ 20.499914] ? sctp_asconf_queue_teardown+0x700/0x700 [ 20.500383] ? sock_def_wakeup+0x222/0x350 [ 20.500771] ? sk_dst_check+0x560/0x560 [ 20.501138] ? sctp_association_put+0x74/0x2f0 [ 20.501556] ? sctp_association_hold+0x20/0x20 [ 20.501971] ? unwind_get_return_address+0x61/0xa0 [ 20.502419] sctp_do_sm+0x271b/0x6a30 [ 20.502772] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 20.503322] ? print_irqtrace_events+0x270/0x270 [ 20.503748] ? __lock_acquire+0x6aa/0x3d50 [ 20.504127] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.504591] ? __lock_acquire+0x6aa/0x3d50 [ 20.504978] ? print_irqtrace_events+0x270/0x270 [ 20.505629] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.506099] ? find_held_lock+0x35/0x1d0 [ 20.506471] ? skb_dequeue+0x12a/0x180 [ 20.506824] ? lock_downgrade+0x990/0x990 [ 20.507215] ? do_raw_spin_trylock+0x190/0x190 [ 20.507629] ? mark_held_locks+0xaf/0x100 [ 20.508004] ? trace_hardirqs_on+0xd/0x10 [ 20.508381] sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 20.508796] sctp_close+0x3c6/0x980 [ 20.509121] ? is_bpf_text_address+0xa4/0x120 [ 20.509528] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 20.510000] ? __save_stack_trace+0x7e/0xd0 [ 20.510390] ? check_noncircular+0x20/0x20 [ 20.510773] ? depot_save_stack+0x12c/0x490 [ 20.511175] ? locks_remove_file+0x3fa/0x5a0 [ 20.511571] ? fcntl_setlk+0x10c0/0x10c0 [ 20.511936] ? free_fs_struct+0x4f/0x60 [ 20.512296] ? __fsnotify_parent+0xb4/0x3a0 [ 20.512683] ? ip_mc_drop_socket+0x1ce/0x230 [ 20.513081] inet_release+0xed/0x1c0 [ 20.513418] sock_release+0x8d/0x1e0 [ 20.513752] ? sock_release+0x1e0/0x1e0 [ 20.514107] sock_close+0x16/0x20 [ 20.514418] __fput+0x327/0x7e0 [ 20.514722] ? fput+0x140/0x140 [ 20.515030] ? _raw_spin_unlock_irq+0x27/0x70 [ 20.515438] ____fput+0x15/0x20 [ 20.515735] task_work_run+0x199/0x270 [ 20.516087] ? task_work_cancel+0x210/0x210 [ 20.516482] ? _raw_spin_unlock+0x22/0x30 [ 20.516855] ? switch_task_namespaces+0x87/0xc0 [ 20.517280] do_exit+0x9b5/0x1ad0 [ 20.517597] ? mm_update_next_owner+0x930/0x930 [ 20.518016] ? check_noncircular+0x20/0x20 [ 20.518398] ? check_noncircular+0x20/0x20 [ 20.518780] ? lock_downgrade+0x990/0x990 [ 20.519166] ? do_raw_spin_trylock+0x190/0x190 [ 20.519579] ? mark_held_locks+0xaf/0x100 [ 20.519959] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.520382] ? reacquire_held_locks+0x1fd/0x3d0 [ 20.520806] ? find_held_lock+0x35/0x1d0 [ 20.521182] ? release_sock+0x1d4/0x2a0 [ 20.521543] ? lock_downgrade+0x990/0x990 [ 20.521920] ? check_noncircular+0x20/0x20 [ 20.522307] ? do_raw_spin_trylock+0x190/0x190 [ 20.522722] ? trace_hardirqs_on+0xd/0x10 [ 20.523103] ? __local_bh_enable_ip+0x9d/0x160 [ 20.523519] ? __local_bh_enable_ip+0x9d/0x160 [ 20.523934] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.524388] ? release_sock+0x1d4/0x2a0 [ 20.524748] ? trace_hardirqs_on+0xd/0x10 [ 20.525124] ? __local_bh_enable_ip+0x9d/0x160 [ 20.525541] ? find_held_lock+0x35/0x1d0 [ 20.525915] ? get_signal+0x7ae/0x16d0 [ 20.526268] ? lock_downgrade+0x990/0x990 [ 20.526894] do_group_exit+0x149/0x400 [ 20.527268] ? __lock_is_held+0xb6/0x140 [ 20.527638] ? SyS_exit+0x30/0x30 [ 20.527955] ? _raw_spin_unlock_irq+0x27/0x70 [ 20.528367] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.528826] get_signal+0x73f/0x16d0 [ 20.529170] ? ptrace_notify+0x130/0x130 [ 20.529539] ? inet_autobind+0x1f/0x180 [ 20.529902] ? __local_bh_enable_ip+0x9d/0x160 [ 20.530321] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.530774] ? release_sock+0x1d4/0x2a0 [ 20.531138] ? trace_hardirqs_on+0xd/0x10 [ 20.531510] ? __local_bh_enable_ip+0x9d/0x160 [ 20.531924] ? _raw_spin_unlock_bh+0x30/0x40 [ 20.532322] ? release_sock+0x1d4/0x2a0 [ 20.532688] ? __release_sock+0x360/0x360 [ 20.533068] ? trace_hardirqs_on+0xd/0x10 [ 20.533449] do_signal+0x94/0x1ee0 [ 20.533776] ? inet_sendmsg+0x126/0x5e0 [ 20.534136] ? __might_sleep+0x95/0x190 [ 20.534500] ? setup_sigcontext+0x7d0/0x7d0 [ 20.534894] ? selinux_socket_sendmsg+0x36/0x40 [ 20.535323] ? security_socket_sendmsg+0x89/0xb0 [ 20.535756] ? inet_recvmsg+0x5f0/0x5f0 [ 20.536118] ? sock_sendmsg+0x4f/0x110 [ 20.536473] ? fput+0xd2/0x140 [ 20.536767] ? SYSC_sendto+0x40d/0x5a0 [ 20.537124] ? SYSC_connect+0x470/0x470 [ 20.537491] ? mm_fault_error+0x2c0/0x2c0 [ 20.537869] ? exit_to_usermode_loop+0x8c/0x310 [ 20.538298] exit_to_usermode_loop+0x214/0x310 [ 20.538716] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 20.539234] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.539692] syscall_return_slowpath+0x42f/0x510 [ 20.540128] ? finish_task_switch+0x1aa/0x740 [ 20.540539] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 20.540996] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 20.541446] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 20.541903] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 20.542340] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 20.542766] RIP: 0033:0x442309 [ 20.543061] RSP: 002b:00007fd51c45dcf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 20.543747] RAX: 000000000000001a RBX: 0000000000000000 RCX: 0000000000442309 [ 20.544391] RDX: 000000000000001a RSI: 0000000020001f98 RDI: 0000000000000005 [ 20.545039] RBP: 0000000000000000 R08: 0000000020944000 R09: 0000000000000010 [ 20.545684] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 20.546336] R13: 0000000000000000 R14: 00007fd51c45e9c0 R15: 00007fd51c45e700 [ 20.547293] Dumping ftrace buffer: [ 20.547778] (ftrace buffer empty) [ 20.548170] Kernel Offset: disabled [ 20.548528] Rebooting in 86400 seconds..